It's been quite some time since I posted here but I thought I might try and resurrect this blog. Normal technical content will follow in due course but this post is a test of my new admin UI. Historically, Pontoon (and this site by extension) relied upon direct SQL updates, but I've just integrated http://crud-admin-generator.com/ which gives me a nice shiny UI from which I can make changes. Time will tell, but I'm hoping this will resurrect my interest in the platform....

Background: A colleague asked me about fuzzing PHP. Verbatim from my email to security@php.net back in 2007:

I've been doing some work on fuzzing the PHP 4 and PHP 5 parsers and wanted to share my results with you. I know PHP 4 won't be supported for much longer and I have no idea whether any of these examples are directly exploitable however before I make them public I thought it was only right to give you a chance to comment. Feel free to ignore me if you so choose, but I'll be putting them up on my blog in 14 days unless I hear otherwise. Although I'm reporting them against the CGI binary, I've had similar results running these snippets against the module too. In each case, I can cause the process (either the CGI binary or the module) to crash. The fuzzers I've written are also available if you so wish.

Disclaimer: I've only had a brief look at 1.x so far and only under VMware. I do have a PlayBook which I'll be breaking in due course but right now it's still in the box. These notes have been floating around in one form or another privately for a while but I wanted to commit them publicly since I'm not sure when I will find time to continue playing....

So recently I had a penetration test where the client had a requirement to allow normal users to execute a specific command as a local admin. Normally, when I hear such a requirement my eyes light up as it can often be a quick way to get SYSTEM and then the domain. However in this instance, the client proudly told me about his underhanded method. Rather than use something like psexec, he'd discovered a nifty little utility called cpau which purported to encode the credentials to make it safe for use by normal users. Red rag to a bull, I decided to take a look, perhaps the encoding was weak and I could retrieve those all important credentials....

At the back end of last year I got a Sony Erricson X10 only to discover that it was still running Android 1.6. This didn't bother me too much at the time as it had all the features I was after (web, SMS and voice) and I left it as it was. Recently however I've been getting into Android security, inspired first by Nils talk at CRESTCon and more recently by some for a client. Anyway, throughout this time, I became aware of an issue that affects the X10. It seems that it is possible to bypass the pattern lock and gain access to data on a locked device. So how is this possible? Take a look at the following:...

Recently myself and a colleague were asked to give some training to some ASP.net developers. My colleague was asked to give the main training session whilst I was asked to run a post training game to test the developers retention of the concepts. After looking at some of the existing ASP.net applications I decided I'd like to write my own. The result of this is VulnApp, a BSD licensed ASP.net application implementing some of the most common applications we come across on our penetration testing engagements. Whilst I'm not intending to package this up into a standalone install, today I committed the source to my CVS server so that others can, if they like, make use of it....

So there's been a lot of fuss over the last few days about the Microsoft Insecure Library Loading Could Allow Remote Code Execution vulnerability and quite a few folk have been making the age old point that Linux could never be affected by such a problem. I'm not sure I agree with that though. Whilst it's fair to say that the Linux dynamic linker doesn't by default include . in its path and you'll very rarely see it listed in ld.so.conf and friends, there is a corner case that could catch Linux folk out. The Linux dynamic linker makes use of a variable called LD_LIBRARY_PATH which it consults when a binary is executed and which takes precedence over the OS default as set in ld.so.conf. So where's the problem? Consider the following script:...